By Brian Chappell, BeyondTrust
On July 1st of this year, the Monetary Authority of Singapore introduced new guidelines that require financial institutions to take specific measures to manage risk. The regulations also impact any financial organisation trading with companies in Singapore, so while these new guidelines may sound local, its implications are global.
According a report published by the City of London analysing global financial markets, Singapore is ranked as the fourth leading financial centre in the world. The Bank of International Settlements ranks Singapore as the third largest foreign exchange centre in the world, after London and New York.
Overview of the new guidelines and notices
The TRM Guidelines aim to demonstrate best practices, which financial institutions are expected to adopt. Although the guidelines are not legally binding, they will be taken into account by the Monetary Authority of Singapore (MAS) in its risk assessment of a financial institution.
The TRM Notices do have legal force and set out the requirements around technology risk management across reliability, availability and recoverability of critical IT systems. Failure to adhere to these notices could result in penalties.
These new regulations – which supersede previous ones – apply to a wide range of financial institutions including insurance providers, stock brokers, and payment services firms. They even go so far as applying to individuals with licenses to provide some sort of financial service. Details of the guidelines and notices were announced just over a year ago in June 2013, but many financial institutions are still struggling to achieve compliance.
MAS has very good reasons for believing these guidelines are so important. Financial institutions are so reliant on technology to operate their businesses and are typically at the forefront of technology innovation.
With that comes complexity, which can heighten the risk of cyber-attacks and other security instances, as well as the risk of system atrophy or outright failure. These new guidelines focus not only on resilience, but also on availability and recoverability. They also place an emphasis, and rightly so, on ensuring protection of customers’ sensitive data.
Risk management – inside and out
The TRM guidelines specifically call out the need to manage the amount of ‘privilege’ that users have (in other words, what data they are allowed to access). While incidents caused (either intentionally or accidentally) by insiders form a small proportion of security breaches, they often have the most damaging consequences. Plus, looking at the wider requirements of the MAS requirements, data confidentiality and system integrity are difficult to achieve if privileged user accounts and activity are not adequately controlled.
Fortunately, the documents supplied by MAS provide financial institutions with some clear best practice around privilege user management:
- The never alone principle –procedures for handling the most sensitive and critical functions must be carried out by more than one person, including PIN-code generation, the creation of cryptographic keys, and the use of administrative accounts.
- Segregation of duties – this is an essential part of internal control and requires that certain functions are separated and performed by different groups of employees. For example, no one person should be able to initiate, enter, approve, and execute transactions into the systems.
- The access control principle –the access rights or system privileges should be granted based on job responsibility and should only be sufficient for the duties that a person has to fulfil. Of course, the threat is not just within an organisation and MAS compliance requires financial institutions to protect systems against external risks and vulnerabilities, such as hacking and malware attacks. This needs to be across all internal and external systems, external resources mobile devices and cloud services. Organisations need to have plans in place to not only identify but also remediate vulnerabilities, plus clear audit trails.
One of the biggest challenges for companies implementing MAS is having clear visibility across the entire threat landscape and to have context around what constitutes a real vulnerability. Companies also need to know what an attack looks like as it migrates from the outside to the inside, because by the time a hacker is within the firewall, he or she probably looks just like an employee.
While we would not suggest there are any instant fixes, there are some very simple things that companies could do to protect themselves better:
Stop focusing just on the end of the attack lifecycle – while an organisation may become incredibly efficient at spotting attacks, it can never win this battle. Defensive security means only having to do a few things very well to improve protection (such as improving password policies, limiting admin rights and best practice software patching are very effective).
Accept that it’s not just the security team’s responsibility- While there is an arguably an infinite amount of malware out there, there is a finite number of ways that an attacker can get in. Many of these fall under the responsibility of IT operations and users: shared accounts, super user accounts, monitoring and analysis of audit logs, controlled access based on need-to-know.
Get a hold on context - IT operations and security teams also need to work together to analyse and assess what constitutes a real-world risk. For instance, imagine a vulnerability management system finds 1000 vulnerabilities. In reality, 800 of those vulnerabilities are affecting client applications and therefore if best practices are being used on servers (such as not browsing the internet from them) then the number of vulnerabilities that really matter may only be 200.
Then, if on further investigation, the majority of those are not being exploited, the real threats that need further investigation might only be 50. Suddenly, it is a lot easier to translate a mountain of data from a vulnerability management system into something that is feasible to address by the IT operations and security team.
All this is perfectly achievable, given the right processes security software tools. And while not everyone may welcome the forced deadline by MAS, if it means that financial institutions now have clear guidelines for taking their security and risk management up a gear, then that has to be good news all round.
About the author:
Brian Chappell is Director of Technical Services for BeyondTrust in EMEA and APAC. He has been an IT professional for over 26 years during which time he has managed systems providing network services to thousands of users through to global B2B interfaces carrying transactions worth billions of dollars. He has held a number of senior roles in companies such as Amstrad plc, BBC Television and GlaxoSmithKline. www.beyondtrust.com